F2009VE 06
Contents
SECTION 6: OPERATIONAL ENVIRONMENT
AS.06.01 If the operational environment is a modifiable operational environment, the operating system requirements in Section 4.6.1 shall apply.
Note: This assertion is not separately tested.
Passed
Assessment:
AS.06.03 The following requirements shall apply to operating systems for Security Level 1.
Note: This assertion is tested as part of AS06.04 through AS06.08.
Assessment:
AS.06.04 The operating system shall be restricted to a single operator mode of operation (i.e., concurrent operators are explicitly excluded).
Note: This requirement cannot be enforced by administrative documentation and procedures, but must be enforced by the cryptographic module itself.
Assessment:
VE.06.04.01
VE.06.04.01 The vendor shall provide a description of the mechanism used to ensure that only one user at a time can use the cryptographic module.
Assessment:
AS.06.05 The cryptographic module shall prevent access by other processes to plaintext private and secret keys, CSPs, and intermediate key generation values during the time the cryptographic module is executing/operational. Note: This requirement cannot be enforced by administrative documentation and procedures, but must be enforced by the cryptographic module itself. Processes that are spawned by the cryptographic module are owned by the module and are not owned by external processes/operators.
Assessment:
VE.06.05.01
VE.06.05.01 The vendor shall provide a description of the mechanism used to ensure that no other process can access private and secret keys, intermediate key generation values, and other CSPs, while the cryptographic process is in use.
Assessment:
AS.06.06 Non-cryptographic processes shall not interrupt the cryptographic module during execution.
Assessment:
VE.06.06.01
VE.06.06.01 The vendor shall provide a description of the mechanism used to ensure that no other process can interrupt the cryptographic module during execution.
Assessment:
AS.06.07 All cryptographic software and firmware shall be installed in a form that protects the software and firmware source and executable code from unauthorized disclosure and modification.
Assessment:
VE.06.07.01
VE.06.07.01 The vendor shall provide a list of the cryptographic software and firmware that are stored on the cryptographic module and shall provide a description of the protection mechanisms used to prevent unauthorized disclosure and modification.
Assessment:
AS.06.08 A cryptographic mechanism using an Approved integrity technique (e.g., an Approved message authentication code or digital signature algorithm) shall be applied to all cryptographic software and firmware components within the cryptographic module.
Assessment:
VE.06.08.01
VE.06.08.01 The vendor shall provide documentation that identifies the technique used to maintain the integrity of the cryptographic software and firmware components.
Assessment:
AS06.10 (Level 2) All cryptographic software and firmware, cryptographic keys and CSPs, and control and status information shall be under the control of
- an operating system that meets the functional requirements specified in the Protection Profiles listed in Annex B and is evaluated at the CC evaluation assurance level EAL2, or
- an equivalent evaluated trusted operating system.
VE.06.10.01
VE.06.10.01 (Level 2) The vendor shall provide documentation that the operating system controlling the cryptographic module has successfully passed evaluation at EAL2 for the functional requirements specified in the protection profiles listed in Annex B.
AS06.11 (Level 2) To protect plaintext data, cryptographic software and firmware, cryptographic keys and CSPs, and authentication data, the discretionary access control mechanisms of the operating system shall be configured to specify the set of roles that can execute stored cryptographic software and firmware.
AS06.12: (Level 2) To protect plaintext data, cryptographic software and firmware, cryptographic keys and CSPs, and authentication data, the discretionary access control mechanisms of the operating system shall be configured to specify the set of roles that can modify (i.e., write, replace, and delete) the following cryptographic module software or firmware components stored within the cryptographic boundary: cryptographic programs, cryptographic data (e.g., cryptographic keys and audit data), CSPs, and plaintext data.
AS06.13 (Level 2) To protect plaintext data, cryptographic software and firmware, cryptographic keys and CSPs, and authentication data, the discretionary access control mechanisms of the operating system shall be configured to specify the set of roles that can read the following cryptographic software components stored within the cryptographic boundary: cryptographic data (e.g., cryptographic keys and audit data), CSPs, and plaintext data.
AS06.14 (Level 2) To protect plaintext data, cryptographic software and firmware, cryptographic keys and CSPs, and authentication data, the discretionary access control mechanisms of the operating system shall be configured to specify the set of roles that can enter cryptographic keys and CSPs.
VE.06.14.01
VE.06.14.01 (Level 2) The vendor shall provide documentation that specifies how the discretionary access control (DAC) mechanism is configured to meet the requirements of AS06.11, AS06.12, AS06.13, and AS06.14.
AS06.15 (Level 2) The operating system shall prevent all operators and executing processes from modifying executing cryptographic processes (i.e., loaded and executing cryptographic program images). In this case, executing processes refer to all non-operating system processes (i.e., operator-initiated), cryptographic or not.
VE.06.15.01
VE.06.15.01 The vendor shall provide documentation that specifies how the operating system prevents all operators and executing processes from modifying executing cryptographic processes.
AS06.16 (Level 2) The operating system shall prevent operators and executing processes from reading cryptographic software stored within the cryptographic boundary.
VE.06.16.01
VE.06.16.01(Level 2) The vendor shall provide documentation that specifies how the operating system prevents operators and executing processes from reading cryptographic software stored within the cryptographic boundary.
AS06.17 (Level 2) The operating system shall provide an audit mechanism to record modifications, accesses, deletions, and additions of cryptographic data and CSPs.
Note: An assumption of this assertion is that the cryptographic module must use the audit mechanism provided by the operating system to audit the identified events. It is not sufficient for the cryptographic module software to use another file as its audit log, no matter how well protected.
VE.06.17.01
VE.06.17.01(Level 2) The vendor shall identify all the events that are auditable by the cryptographic module software. The list shall include the events specified in AS06.18 and AS06.19.
Note: The tester DOES NOT have to test the audit mechanism provided by the operating system and identified by the vendor.
AS06.18 (Level 2) The following events shall be recorded by the audit mechanism:
- attempts to provide invalid input for crypto officer functions, and
- the addition or deletion of an operator to/from a crypto officer role.
Note: This assertion is tested as part of AS06.17.
AS06.19: (Level 2) The audit mechanism shall be capable of auditing the following events:
- operations to process audit data stored in the audit trail,
- requests to use authentication data management mechanisms,
- use of a security-relevant crypto officer function,
- requests to access user authentication data associated with the cryptographic module,
- use of an authentication mechanism (e.g., login) associated with the cryptographic module,
- explicit requests to assume a crypto officer role, and
- the allocation of a function to a crypto officer role.
Note: This assertion is tested as part of AS06.17.